Method 1: external flasher

Read the flash chip contents

Turn off your X201.

Remove the following:

battery;

keyboard;

palmrest.

Locate the SPI chip. It should be beneath a protective plastic sheet, under where the keyboard was, at roughly the location where the trackpoint was. Next to it, you should see the label "SPI1" silk-screened in white on the motherboard.

The pinout is as follows. (The colors in parentheses are those used by the Bus Pirate breakout cable; your programmer may use leads with different colors. "N/C" means "not connected": these pins should not be connected to your programmer.) The top surface of the chip should have a small dimple or a dot of paint next to pin 1.

Not all external programmers supply enough current to enable reliable reads from and writes to the flash chip. If yours does not (as is the case with the Bus Pirate and the BeagleBone Black), then you may have to use a more powerful regulated power supply to feed the chip's 3.3V pin. Make sure not to exceed 3.3V.

Read the flash chip's contents at least twice, using Flashrom. Compare the files to be sure they are identical.

Once you have a good copy of the flash chip's contents, save a copy of the file to external media as a backup.

Neutralize the Intel Management Engine (optional)

As of March 2017, Coreboot builds for the X201 are thought to be incompatible with neutralized MEs: MEs neutralized with me_cleaner seem to work fine with the stock BIOS, but not with Coreboot. Making Coreboot compatible with neutralized MEs is a work in progress.

If you wish to attempt to neutralize your X201's ME anyway, see the instructions here.

If you have attempted the neutralization, please report the success or failure of the attempt here, to help the Coreboot and me_cleaner developers to improve their efforts.

Compile Coreboot

When compiling Coreboot, remember to enable HAVE_IFD and HAVE_ME_BIN, in order to incorporate, into the resulting build, the descriptor and ME firmware that you extracted earlier. The easiest way to do this is via make nconfig or make menuconfig: the relevant options are in the "Chipset" menu.

The result will typically be a file called in the build directory called coreboot.rom.

Flash Coreboot to the chip

Flash the resulting build/coreboot.rom to the chip, using Flashrom.

Method 2: unlocking the bootblock

No-one has so far published any success with this method. In theory, however, it is possible.

The locking mechanism is in the bootblock itself. The original firmware has a way to update it as follows.

Flash an update to the rewriteable region, containing a compressed copy of the new bootblock.

On next boot, the bootblock parses the rewritable region and sees that compressed copy.

That copy is uncompressed and flashed.

A way to unlock the bootblock would be to modify a firmware update to have a copy of the bootblock without protection. For this you would need to compress the modified block to fit into original space. The compression used is Lempel-Ziv- Huffman variant. Phcoder has written a compressor for it, but stated that it was not performant enough.